OpenProcess: access denied error only on Windows 8.1

6
votes

I have a program which adjusts SeDebugPrivilege and then starts to iterate through system processes and calls OpenProcess for them (and does other stuff, but it's not important now). Also the program runs in administrator mode of course. On Windows XP and Windows 7 it works fine, but on Windows 8.1 OpenProcess fails for the following system processes with ERROR_ACCESS_DENIED(5): smss.exe, csrss.exe, services.exe. As I know with SeDebugPrivilege I should be able to open these processes and retrieve a handle for them. Does anybody have a clue, what kind of magic causes this error only on Windows 8.1?

(Anyway I have the same error with the same processes for CreateToolhelp32Snapshot)

3
windowswinapiwindows-8.1openprocess
I guess you don't have enough rights any more.David Heffernan

3 Answers

6
votes

Windows 8.1 introduces the concept of a system protected process. This is documented in the context of third-party anti-malware software, but it seems reasonable to suppose that it is also used to protect particularly critical system processes.

System protected processes are an extension of the Protected Process mechanism (Microsoft Word document) introduced in Windows Vista as a DRM measure.

You cannot obtain any of these access rights for a protected process, even with debug privilege:

  • DELETE
  • READ_CONTROL
  • WRITE_DAC
  • WRITE_OWNER
  • PROCESS_CREATE_THREAD
  • PROCESS_DUP_HANDLE
  • PROCESS_QUERY_INFORMATION
  • PROCESS_SET_QUOTA
  • PROCESS_SET_INFORMATION
  • PROCESS_VM_OPERATION
  • PROCESS_VM_READ
  • PROCESS_VM_WRITE

You should still be able to open the process by requesting PROCESS_QUERY_LIMITED_INFORMATION access. According to the documentation, SYNCHRONIZE and PROCESS_TERMINATE access are also permitted.

1
votes

It can only be done in the kernel. The best way to get the info you need would be to:

PsLookupProcessByProcessId()
KeStackAttachProcess()
ZwQueryInformationProcess() or whatever other functions you need to now call within the context of the attached process.
KeStackDetachProcess()

Or if you are just experimenting and not putting anything into production code, you can traverse the various semi-opaque structures (EPROCESS, PEB, VAD, etc) to get the information you need.

1
votes

I was recently running into Access is Denied errors (error code 5 in my case), while running the Win32 OpenProcess API and then later while running CreateProcessAsUser. In my case, I was running on Windows 10, but I suspect it's similar, but since I got it working I thought I would share a couple things that helped me.

As I was using C# my Win32 method signature is as follows:

[DllImport("kernel32.dll")]
        private static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);

One key factor that effected the success of accessing the existing process, which in my case was a winlogon.exe process, was to properly defined the right "desired access" value. In my case, I used a constant "MAXIMUM_ALLOWED" defined as:

private const uint MAXIMUM_ALLOWED = 0x2000000;

This call to the service looks like this:

IntPtr hProcess = OpenProcess(MAXIMUM_ALLOWED, false, targetWinlogonProcessId);

This established the right kind of access. I was also running my process (web service) as the LocalSystem account, which had pretty good privileges. It started off as:

enter image description here

Please note, I was able to run this command using the SYSTEM account, by downloading PsExec.exe and running PsExec.exe -i -s cmd.exe to launch a command prompt so I could query the privileges using that account. You can find a good list of permissions here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

In my case, I wanted to add SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege, which I added via secpol.msc:

enter image description here

Your particular permissions required may depend on the account you're using, but I hope this helps!